RCTF rev 复盘

LoongArch

ld.d t0,sp,0 
ld.d t1,sp,8 
ld.d t2,sp,16 
ld.d t3,sp,24
ld.d t4,sp,32
ld.d t5,sp,40
ld.d t6,sp,48
ld.d t7,sp,56

xor t0,t0,t4
xor t1,t1,t5
xor t2,t2,t6
xor t3,t3,t7

bitrev.d t4,t0
bitrev.d t5,t1
bitrev.d t6,t2
bitrev.d t7,t3

bytepick.d t0,t6,t5,3
bytepick.d t1,t4,t7,3
bytepick.d t2,t5,t4,3
bytepick.d t3,t7,t6,3

bitrev.8b t4,t0
bitrev.8b t5,t1
bitrev.8b t6,t2
bitrev.8b t7,t3

ld.d t0,sp,64 
ld.d t1,sp,72
ld.d t2,sp,80 
ld.d t3,sp,88

xor t0,t0,t4
xor t1,t1,t5
xor t2,t2,t6
xor t3,t3,t7

addi.d a0,zero,1
addi.d a1,sp,32
li.d a2,64
li.d a7,64
syscall 0

li.d t4,64
clo.d t5,t0
bne t5,t4,fail
clo.d t5,t1
bne t5,t4,fail
clo.d t5,t2
bne t5,t4,fail
clo.d t5,t3
bne t5,t4,fail
b success

在比赛的时候因为py脚本写的不对，没有处理好bitrev_d和bitrev_8b导致浪费时间。基本功还是要练扎实= =。

def qword2bit(a):
    re = []
    for i in range(64):
        re.append(a%2)
        a >>= 1
    return re[::-1]

def bit2qword(a):
    re = ""
    for i in a:
        re += str(i)
    return int(re,2)

def bitrev_8b(a):
    re = []
    for i in range(0,64,8):
        re += a[i:i+8][::-1]
    return re

def bytepick_d(a,b,n):
    return b[8*(n):64]+a[0:8*(n)]

def bitrev_d(a):
    return a[::-1]

xor1 = [0x8205f3d105b3059d,0xa89aceb3093349f3,0xd53db5adbcabb984,0x39cea0bfd9d2c2d4]
xor2 = [0xc513455508290500,0x6d621abb30b918,0xbc555b9f4c6f86a1,0x50d78ad181a626d]

a = [i^0xffffffffffffffff for i in xor2]

b = [qword2bit(i) for i in a]

c = [bitrev_8b(i) for i in b]

d = [bytepick_d(c[2],c[1],5),
    bytepick_d(c[0],c[2],5),
    bytepick_d(c[3],c[0],5),
    bytepick_d(c[1],c[3],5)]

e = [bitrev_d(i) for i in d]

f = [bit2qword(i) for i in e]

g = [f[i]^xor1[i] for i in range(4)]

for i in g:
    for j in range(8):
        print(chr(i&0xff),end='')
        i >>= 8

print()

Reference

https://blog.rois.io/en/2021/rctf-2021-official-writeup/